http://localhost/ticket/1057 <pre class="wiki">$ curl "http://127.0.0.1:5000/api/rest/package/annakarenina?callback=&lt;script&gt;jsoncallback" </pre><p> gives: </p> <pre class="wiki">&lt;script&gt;jsoncallback({"id": "c10ebd31-5b45-4f6f-885d-dca9b18caec4", "name": "annakarenina", "title": "A Novel By Tolstoy", </pre><p> which could run script code in the client who made the call. </p> <p> One idea for filtering: <a class="ext-link" href="http://tav.espians.com/sanitising-jsonp-callback-identifiers-for-security.html"><span class="icon">​</span>http://tav.espians.com/sanitising-jsonp-callback-identifiers-for-security.html</a> Maybe just better to have a restricted whitelist of characters to be even more sure. </p> <p> Same as: <a class="ext-link" href="https://trac.dataco.coi.gov.uk/projects/datagov/ticket/906"><span class="icon">​</span>https://trac.dataco.coi.gov.uk/projects/datagov/ticket/906</a> </p> en-us http://assets.okfn.org/p/ckan/img/ckan_logo_shortname.png http://localhost/ticket/1057 Trac 0.12.3 toby Mon, 13 Feb 2012 16:23:56 GMT http://localhost/ticket/1057#comment:1 http://localhost/ticket/1057#comment:1 <ul> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> </ul> <p> fixed in commit 3d7cbf0 </p> Ticket